CVE-2026-54108: Patch SharePoint Server Spoofing Flaw

Microsoft has patched CVE-2026-54108, an Important-rated SharePoint Server vulnerability that allows a low-privileged, authenticated attacker to spoof content over a network and potentially expose confidential information. The July 14, 2026 security updates cover SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the flaw carries a CVSS 3.1 base score of 6.5. Microsoft has not identified it as publicly disclosed or exploited in the wild, according to the July update assessment published by Trend Micro’s Zero Day Initiative.
That makes CVE-2026-54108 less urgent than an unauthenticated remote-code-execution bug, but it is not harmless. Its network reach, low attack complexity, lack of required user interaction, and potential for high confidentiality impact make it relevant to any organization running an on-premises SharePoint farm.

SharePoint servers are protected by a glowing cybersecurity shield against malware and unauthorized access.Authentication Narrows the Door, Not the Damage​

CVE-2026-54108 stems from external control of a file name or path, classified as CWE-73. In practical terms, SharePoint does not adequately constrain attacker-influenced path or filename data in the affected operation, creating an opportunity for an authorized user to make content or resources appear to come from somewhere they do not.
Microsoft describes the result as spoofing rather than code execution or elevation of privilege. That classification matters: the published CVSS vector assigns no direct integrity or availability impact, while rating the potential confidentiality impact as high.
The full vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. For administrators, its components provide a more useful picture than the 6.5 score alone:
  • The attack can be carried out across a network rather than requiring local access to the SharePoint server.
  • Exploitation has low complexity and does not depend on a race condition or an unusual deployment state.
  • The attacker must already possess low-level privileges.
  • No additional user must click a link, open a document, or approve a prompt.
  • Successful exploitation could expose sensitive information, although Microsoft assigns no direct integrity or availability loss.
The privilege requirement is the main limiting factor. An anonymous internet user cannot exploit CVE-2026-54108 solely by finding a SharePoint login page, based on the currently published assessment. An attacker would first need a valid account or another route into the SharePoint environment.
That prerequisite should not be treated as a strong boundary in organizations where SharePoint serves contractors, external collaborators, acquired business units, or large employee populations. Compromised Microsoft 365 or Active Directory credentials, excessive site permissions, dormant accounts, and weak federation controls can all turn an “authorized attacker” requirement into a realistic scenario.

Three On-Premises SharePoint Releases Need Updates​

Microsoft lists three x64 SharePoint product lines as affected. The corrected build thresholds published in the CVE record are:
SharePoint productVulnerable buildsCorrected build threshold
SharePoint Enterprise Server 2016Earlier than 16.0.5561.100116.0.5561.1001
SharePoint Server 2019Earlier than 16.0.10417.2017516.0.10417.20175
SharePoint Server Subscription EditionEarlier than 16.0.19725.2043416.0.19725.20434
The associated July security packages are KB5002882, KB5002883, and KB5002891. Administrators should match each package against the precise SharePoint edition and installed component inventory rather than assuming that a successful Windows Update cycle has secured the farm.
This is an on-premises SharePoint Server issue. Microsoft’s affected-product data does not list SharePoint Online, where the company controls service-side deployment. Organizations operating SharePoint Server in Azure virtual machines, hosted private clouds, or third-party data centers remain responsible for patching because those installations are still customer-managed SharePoint farms.
Checking only the Windows Server OS build is also insufficient. SharePoint security updates are product-level packages, and farms can remain exposed even when the underlying Windows Server hosts show no missing cumulative updates.
Administrators can verify installed SharePoint updates through Central Administration, PowerShell, Programs and Features, or their endpoint and vulnerability-management platforms. Build-number validation is especially useful in multi-server farms, where one missed application or web-front-end server can leave the deployment inconsistent.

The Patch Needs SharePoint-Aware Deployment​

SharePoint updates require more care than routine workstation patching. Farms often contain multiple web front ends, application servers, Search components, distributed cache roles, and tightly controlled maintenance windows. Installing a package on one node does not automatically prove that the full farm has reached the corrected state.
Microsoft’s established servicing model also requires administrators to account for the SharePoint Products Configuration Wizard or its PowerShell equivalent when completing applicable update work. Teams should follow Microsoft’s instructions for the specific packages, confirm that the configuration database and binaries are aligned, and avoid leaving the farm in a partially upgraded condition.
A practical deployment sequence should include inventorying every SharePoint server, testing the July packages against custom solutions, backing up configuration and content databases, and verifying farm health after the maintenance window. Administrators should also confirm that Search, authentication providers, Office Online Server integration, and third-party web parts continue functioning.
CVE-2026-54108 does not currently warrant emergency internet disconnection on its own. Microsoft and the Zero Day Initiative list no active exploitation or public disclosure as of July 14, 2026, and the attacker needs an authenticated foothold.
Still, the vulnerability belongs in the current SharePoint patch cycle rather than a distant quarterly backlog. SharePoint commonly stores documents, internal discussions, personnel records, operational procedures, and other material whose disclosure can be valuable even when the attacker cannot alter or destroy it.

Spoofing Deserves More Attention Inside Collaboration Systems​

The word spoofing can sound less serious than remote code execution, particularly during a Patch Tuesday containing Critical vulnerabilities. In a collaboration platform, however, the ability to manipulate how a path, filename, or network-served resource is represented can undermine assumptions users and applications make about where content originated.
The published CVSS assessment stops short of claiming that CVE-2026-54108 enables arbitrary file reads, credential theft, or code execution. Microsoft has also not released enough public technical detail to establish a specific exploit chain. Administrators should therefore avoid treating speculative attack demonstrations as confirmed behavior.
The high confidentiality rating nevertheless indicates that Microsoft expects meaningful information exposure to be possible following successful exploitation. Since no user interaction is required, exploitation could occur through direct requests made by an authenticated account rather than through a conventional phishing sequence.
That distinction also shapes monitoring. Security teams should review unusual SharePoint requests and activity associated with low-privileged or recently compromised accounts, particularly where filenames, paths, downloads, or resource references appear abnormal. Existing alerts for impossible travel, token misuse, anomalous downloads, and sudden activity from dormant accounts can provide useful supporting evidence even before vendor-specific detection guidance emerges.
CVE-2026-54108 was one of numerous SharePoint vulnerabilities addressed in Microsoft’s unusually large July 2026 security release, including several other spoofing flaws and the Critical-rated CVE-2026-50522 remote-code-execution vulnerability. Patch prioritization should consequently be performed at the update-package level: installing the applicable SharePoint security update can close several risks at once, including flaws more severe than the one that prompted the review.
For SharePoint administrators, the immediate milestone is concrete: bring Enterprise Server 2016 to build 16.0.5561.1001, Server 2019 to 16.0.10417.20175, and Subscription Edition to 16.0.19725.20434 or later, then verify every server in the farm. The unanswered question is whether Microsoft or independent researchers will publish deeper technical details that make the spoofing path easier to operationalize before organizations finish deploying July’s updates.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
  3. Related coverage: windowscentral.com
  4. Related coverage: pcgamer.com
 

Back
Top